Fix ldap with ssl

2025-12-07 01:58:09 +01:00 · 2021-09-11 02:48:28 +02:00
parent fd696f8c28
commit c005a20cc0
4 changed files with 80 additions and 36 deletions
--- a/dev/examples/ldap/ldapsearch_sample1.txt
+++ b/dev/examples/ldap/ldapsearch_sample1.txt
@@ -3,11 +3,26 @@
 #
 # Use this sample to search into a ldap
 #
-# ldapsearch -h hostname -x
-# ldapsearch -h hostname -x -b "ou=people,dc=teclib,dc=infra"
-# ldapsearch -h hostname -x -z 0 -b "o=somecompany.com" -D "cn=manager,o=somecompany.com" -w password "(objectclass=*)"
-# ldapsearch -h hostname -x -b "o=somecompany.com" -D "cn=manager,o=somecompany.com" -w password "(objectclass=*)"
+
+# Anonymous access
+# ldapsearch -h hostname -p 389
+#
+# Login access (using a Bind DN)
+# ldapsearch -h hostname -p 389 -z 0 -D "uid=root,cn=users,dc=ldap,dc=test,dc=local" -w password
+# ldapsearch -H ldap://hostname:389 -z 0 -D "uid=root,cn=users,dc=ldap,dc=test,dc=local" -w password
+# ldapsearch -d1 -H ldap://hostname:389 -x -z 0 -D "uid=root,cn=users,dc=ldap,dc=test,dc=local" -w password
+# ldapsearch -H ldap://hostname:389 -z 0 -D "uid=root,cn=users,dc=ldap,dc=test,dc=local" -w password
+#
+# Login access in SSL (using a Bind DN)
+# ldapsearch -H ldaps://hostnamme:636 -z 0 -D "uid=root,cn=users,dc=ldap,dc=test,dc=local" -w password -b "cn=users,dc=ldap,dc=test,dc=local
+# If it fails, you may try to use "hostname" that is real name of certificate.
+# You must also check that /etc/ldap/ldap.conf contains the line TLS_CACERT /etc/ssl/certs/ca-certificates.crt
+
+# What to search
+# ldapsearch -h hostname -p 389 -x -D "uid=root,cn=users,dc=ldap,dc=test,dc=local" -w password -b "cn=users,dc=ldap,dc=test,dc=local"
+# ldapsearch -h hostname -p 389 -x -D "cn=manager,o=somecompany.com" -w password -b "ou=people,dc=teclib,dc=infra"
+# ldapsearch -h hostname -p 389 -x -D "cn=manager,o=somecompany.com" -w password -b "o=somecompany.com" "(objectclass=*)"
 #
 # Example to test a ldap search: 
-# ldapsearch -h hostname -x -z 5 -b 'OU=Collaborateurs,OU=Utilisateurs,OU=MyCompany,DC=bocal,DC=lan' -D 'CN=UserAdmin,OU=Informatique,OU=Utilisateurs,OU=MyCompany,DC=bocal,DC=lan' -w password
+# ldapsearch -h hostname -p 389 -x -z 5 -b 'OU=Collaborateurs,OU=Utilisateurs,OU=MyCompany,DC=bocal,DC=lan' -D 'CN=UserAdmin,OU=Informatique,OU=Utilisateurs,OU=MyCompany,DC=bocal,DC=lan' -w password

--- a/htdocs/admin/ldap.php
+++ b/htdocs/admin/ldap.php
@@ -43,6 +43,7 @@ $action = GETPOST('action', 'aZ09');
 // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
 $hookmanager->initHooks(array('adminldap', 'globaladmin'));

+
 /*
 * Actions
 */
@@ -150,7 +151,7 @@ $arraylist['0'] = $langs->trans("No");
 $arraylist['ldap2dolibarr'] = $langs->trans("LDAPToDolibarr");
 $arraylist['dolibarr2ldap'] = $langs->trans("DolibarrToLDAP");
 print $form->selectarray('activesynchro', $arraylist, $conf->global->LDAP_SYNCHRO_ACTIVE);
-print '</td><td>'.$langs->trans("LDAPDnSynchroActiveExample");
+print '</td><td><span class="opacitymedium">'.$langs->trans("LDAPDnSynchroActiveExample").'</span>';
 if ($conf->global->LDAP_SYNCHRO_ACTIVE && !$conf->global->LDAP_USER_DN) {
 	print '<br><font class="error">'.$langs->trans("LDAPSetupNotComplete").'</font>';
 }
@@ -163,7 +164,7 @@ if (!empty($conf->societe->enabled)) {
 	$arraylist['0'] = $langs->trans("No");
 	$arraylist['1'] = $langs->trans("DolibarrToLDAP");
 	print $form->selectarray('activecontact', $arraylist, $conf->global->LDAP_CONTACT_ACTIVE);
-	print '</td><td>'.$langs->trans("LDAPDnContactActiveExample").'</td></tr>';
+	print '</td><td><span class="opacitymedium">'.$langs->trans("LDAPDnContactActiveExample").'</span></td></tr>';
 }

 // Synchro member active
@@ -174,7 +175,7 @@ if (!empty($conf->adherent->enabled)) {
 	$arraylist['1'] = $langs->trans("DolibarrToLDAP");
 	$arraylist['ldap2dolibarr'] = $langs->trans("LDAPToDolibarr").' ('.$langs->trans("SupportedForLDAPImportScriptOnly").')';
 	print $form->selectarray('activemembers', $arraylist, $conf->global->LDAP_MEMBER_ACTIVE);
-	print '</td><td>'.$langs->trans("LDAPDnMemberActiveExample").'</td></tr>';
+	print '</td><td><span class="opacitymedium">'.$langs->trans("LDAPDnMemberActiveExample").'</span></td></tr>';
 }

 // Synchro member type active
@@ -185,7 +186,7 @@ if (!empty($conf->adherent->enabled)) {
 	$arraylist['1'] = $langs->trans("DolibarrToLDAP");
 	$arraylist['ldap2dolibarr'] = $langs->trans("LDAPToDolibarr").' ('.$langs->trans("SupportedForLDAPImportScriptOnly").')';
 	print $form->selectarray('activememberstypes', $arraylist, $conf->global->LDAP_MEMBER_TYPE_ACTIVE);
-	print '</td><td>'.$langs->trans("LDAPDnMemberTypeActiveExample").'</td></tr>';
+	print '</td><td><span class="opacitymedium">'.$langs->trans("LDAPDnMemberTypeActiveExample").'</span></td></tr>';
 }

 // Fields from hook
@@ -214,33 +215,33 @@ $arraylist = array();
 $arraylist['3'] = 'Version 3';
 $arraylist['2'] = 'Version 2';
 print $form->selectarray('LDAP_SERVER_PROTOCOLVERSION', $arraylist, $conf->global->LDAP_SERVER_PROTOCOLVERSION);
-print '</td><td>'.$langs->trans("LDAPServerProtocolVersion").'</td></tr>';
+print '</td><td><span class="opacitymedium">'.$langs->trans("LDAPServerProtocolVersion").'</span></td></tr>';

 // Serveur primaire
 print '<tr class="oddeven"><td>';
 print $langs->trans("LDAPPrimaryServer").'</td><td>';
-print '<input size="25" type="text" name="host" value="'.$conf->global->LDAP_SERVER_HOST.'">';
-print '</td><td>'.$langs->trans("LDAPServerExample").'</td></tr>';
+print '<input class="minwidth200" type="text" name="host" value="'.$conf->global->LDAP_SERVER_HOST.'">';
+print '</td><td><span class="opacitymedium">'.$langs->trans("LDAPServerExample").'</span></td></tr>';

 // Serveur secondaire
 print '<tr class="oddeven"><td>';
 print $langs->trans("LDAPSecondaryServer").'</td><td>';
-print '<input size="25" type="text" name="slave" value="'.$conf->global->LDAP_SERVER_HOST_SLAVE.'">';
-print '</td><td>'.$langs->trans("LDAPServerExample").'</td></tr>';
+print '<input class="minwidth200" type="text" name="slave" value="'.$conf->global->LDAP_SERVER_HOST_SLAVE.'">';
+print '</td><td><span class="opacitymedium">'.$langs->trans("LDAPServerExample").'</span></td></tr>';

 // Port
 print '<tr class="oddeven"><td>'.$langs->trans("LDAPServerPort").'</td><td>';
 if (!empty($conf->global->LDAP_SERVER_PORT)) {
-	print '<input size="25" type="text" name="port" value="'.$conf->global->LDAP_SERVER_PORT.'">';
+	print '<input class="width75" type="text" name="port" value="'.$conf->global->LDAP_SERVER_PORT.'">';
 } else {
-	print '<input size="25" type="text" name="port" value="389">';
+	print '<input class="width75" type="text" name="port" value="389">';
 }
-print '</td><td>'.$langs->trans("LDAPServerPortExample").'</td></tr>';
+print '</td><td><span class="opacitymedium">'.$langs->trans("LDAPServerPortExample").'</span></td></tr>';

 // DNserver
 print '<tr class="oddeven"><td>'.$langs->trans("LDAPServerDn").'</td><td>';
-print '<input size="25" type="text" name="dn" value="'.$conf->global->LDAP_SERVER_DN.'">';
-print '</td><td>'.$langs->trans("LDAPServerDnExample").'</td></tr>';
+print '<input class="minwidth300" type="text" name="dn" value="'.$conf->global->LDAP_SERVER_DN.'">';
+print '</td><td><span class="opacitymedium">'.$langs->trans("LDAPServerDnExample").'</span></td></tr>';

 // Utiliser TLS
 print '<tr class="oddeven"><td>'.$langs->trans("LDAPServerUseTLS").'</td><td>';
@@ -248,7 +249,7 @@ $arraylist = array();
 $arraylist['0'] = $langs->trans("No");
 $arraylist['1'] = $langs->trans("Yes");
 print $form->selectarray('usetls', $arraylist, $conf->global->LDAP_SERVER_USE_TLS);
-print '</td><td>'.$langs->trans("LDAPServerUseTLSExample").'</td></tr>';
+print '</td><td><span class="opacitymedium">'.$langs->trans("LDAPServerUseTLSExample").'</span></td></tr>';

 print '<tr class="liste_titre">';
 print '<td colspan="3">'.$langs->trans("ForANonAnonymousAccess").'</td>';
@@ -257,18 +258,18 @@ print "</tr>\n";
 // DNAdmin
 print '<!-- LDAP_ADMIN_DN -->';
 print '<tr class="oddeven"><td>'.$langs->trans("LDAPAdminDn").'</td><td>';
-print '<input size="25" type="text" name="admin" value="'.$conf->global->LDAP_ADMIN_DN.'">';
-print '</td><td>'.$langs->trans("LDAPAdminDnExample").'</td></tr>';
+print '<input class="minwidth300" type="text" name="admin" value="'.$conf->global->LDAP_ADMIN_DN.'">';
+print '</td><td class="maxwidthhalf"><span class="opacitymedium">'.$langs->trans("LDAPAdminDnExample").'</span></td></tr>';

 // Pass
 print '<!-- LDAP_ADMIN_PASS -->';
 print '<tr class="oddeven"><td>'.$langs->trans("LDAPPassword").'</td><td>';
 if (!empty($conf->global->LDAP_ADMIN_PASS)) {
-	print '<input size="25" type="password" name="pass" value="'.$conf->global->LDAP_ADMIN_PASS.'">'; // je le met en visible pour test
+	print '<input class="minwidth150" type="password" name="pass" value="'.$conf->global->LDAP_ADMIN_PASS.'">'; // je le met en visible pour test
 } else {
-	print '<input size="25" type="text" name="pass" value="'.$conf->global->LDAP_ADMIN_PASS.'">';
+	print '<input class="minwidth150" type="text" name="pass" value="'.$conf->global->LDAP_ADMIN_PASS.'">';
 }
-print '</td><td>'.$langs->trans('Password').' (ex: secret)</td></tr>';
+print '</td><td><span class="opacitymedium">'.$langs->trans('Password').' (ex: secret)</span></td></tr>';

 print '</table>';

--- a/htdocs/core/class/ldap.class.php
+++ b/htdocs/core/class/ldap.class.php
@@ -205,14 +205,26 @@ class Ldap
 				if ($this->serverPing($host, $this->serverPort) === true) {
 					$this->connection = ldap_connect($host, $this->serverPort);
 				} else {
-					continue;
+					if (preg_match('/^ldaps/i', $host)) {
+						// With host = ldaps://server, the serverPing to ssl://server sometimes fails, even if the ldap_connect succeed, so
+						// we test this case and continue in suche a case even if serverPing fails.
+						$this->connection = ldap_connect($host, $this->serverPort);
+					} else {
+						continue;
+					}
 				}

 				if (is_resource($this->connection)) {
-					// Begin TLS if requested by the configuration
+					// Upgrade connexion to TLS, if requested by the configuration
 					if (!empty($conf->global->LDAP_SERVER_USE_TLS)) {
-						if (!ldap_start_tls($this->connection)) {
+						// For test/debug
+						//ldap_set_option($this->connection, LDAP_OPT_DEBUG_LEVEL, 7);
+						//ldap_set_option($this->connection, LDAP_OPT_PROTOCOL_VERSION, 3);
+
+						$resulttls = ldap_start_tls($this->connection);
+						if (!$resulttls) {
 							dol_syslog(get_class($this)."::connect_bind failed to start tls", LOG_WARNING);
+							$this->error = 'ldap_start_tls Failed to start TLS '.ldap_errno($this->connection).' '.ldap_error($this->connection);
 							$connected = 0;
 							$this->close();
 						}
@@ -689,22 +701,38 @@ class Ldap
 	/**
 	 * Ping a server before ldap_connect for avoid waiting
 	 *
-	 * @param string		$host		Server host or address
+	 * @param string	$host		Server host or address
 	 * @param int		$port		Server port (default 389)
-	 * @param int		$timeout		Timeout in second (default 1s)
+	 * @param int		$timeout	Timeout in second (default 1s)
 	 * @return boolean				true or false
 	 */
 	public function serverPing($host, $port = 389, $timeout = 1)
 	{
-		// Replace ldaps:// by ssl://
+		$regs = array();
 		if (preg_match('/^ldaps:\/\/([^\/]+)\/?$/', $host, $regs)) {
+			// Replace ldaps:// by ssl://
 			$host = 'ssl://'.$regs[1];
-		}
-		// Remove ldap://
-		if (preg_match('/^ldap:\/\/([^\/]+)\/?$/', $host, $regs)) {
+		} elseif (preg_match('/^ldap:\/\/([^\/]+)\/?$/', $host, $regs)) {
+			// Remove ldap://
 			$host = $regs[1];
 		}
+
+		//var_dump($newhostforstream); var_dump($host); var_dump($port);
+		//$host = 'ssl://ldap.test.local:636';
+		//$port = 636;
+
+		$errno = $errstr = 0;
+		/*
+		if ($methodtochecktcpconnect == 'socket') {
+			Try to use socket_create() method.
+			Method that use stream_context_create() works only on registered listed in stream stream_get_wrappers(): http, https, ftp, ...
+		}
+		*/
+
+		// Use the method fsockopen to test tcp connect. No way to ignore ssl certificate errors with this method !
 		$op = @fsockopen($host, $port, $errno, $errstr, $timeout);
+
+		//var_dump($op);
 		if (!$op) {
 			return false; //DC is N/A
 		} else {
--- a/htdocs/langs/en_US/admin.lang
+++ b/htdocs/langs/en_US/admin.lang
@@ -1467,10 +1467,10 @@ LDAPSynchronizeMembersTypes=Organization of foundation's members types in LDAP
 LDAPPrimaryServer=Primary server
 LDAPSecondaryServer=Secondary server
 LDAPServerPort=Server port
-LDAPServerPortExample=Default port: 389
+LDAPServerPortExample=Standard or StartTLS: 389, LDAPs: 636
 LDAPServerProtocolVersion=Protocol version
 LDAPServerUseTLS=Use TLS
-LDAPServerUseTLSExample=Your LDAP server use TLS
+LDAPServerUseTLSExample=Your LDAP server use StartTLS
 LDAPServerDn=Server DN
 LDAPAdminDn=Administrator DN
 LDAPAdminDnExample=Complete DN (ex: cn=admin,dc=example,dc=com or cn=Administrator,cn=Users,dc=example,dc=com for active directory)